Detection rules Download overview
Detection rules examples
Threat detection Kibana dashboard
Kibana dashboard example visualizing the results of the Elastic SIEM detection engine
Sigma Elastic SIEM rules for web server logs
A collection of rules based on the Sigma detection rules for web server looks, e.g. apache, nginx or IIS.
Sigma detection rules for proxy server logs
A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.
Sigma Sysmon detection rules
A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.
Sigma Windows Process Creation detection rules
A collection of rules based on the Sigma rules for Windows (process creation folder) based on Winlogbeat data .
Sigma Windows inbuilt detection rules
A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .
Sigma AWS Cloudtrail Detection rules
A collection of rules based on the Sigma rules for AWS based on the Filebeat AWS module and Elastic agent integration.
More about Detection rules
If you are using the Elastic Stack you believe in the power of open source and understand the importance of community. The two core goals with Elastic Security are to stop large-scale threats and arm every analyst.
The Elastic Stack delivers 100s to 1000s of detection rules made by the Elastic Experts covering MITRE ATT&CK® techniques. However there is always room for improvement. On this page you find a collection of detection rules made by the community. Mainly influenced by the Sigma project.
With the help of this detection rule repository the goal is to provide Elastic Security users with the best detection that works across various data sources. It is using ECS as a great equalizer for patterns, making it possible to write rules that apply to multiple data sources at once.